1. Home
  2. CWE Database
  3. CWE-1189
Base · Medium

CWE-1189: Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.

CWE-1189 · Base Level ·2 CVEs ·1 Mitigations

Description

The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.

A System-On-a-Chip (SoC) has a lot of functionality, but it may have a limited number of pins or pads. A pin can only perform one function at a time. However, it can be configured to perform multiple different functions. This technique is called pin multiplexing. Similarly, several resources on the chip may be shared to multiplex and support different features or functions. When such resources are shared between trusted and untrusted agents, untrusted agents may be able to access the assets intended to be accessed only by the trusted agents.

Potential Impact

Access Control

Bypass Protection Mechanism

Integrity

Quality Degradation

Mitigations & Prevention

Architecture and Design

When sharing resources, avoid mixing agents of varying trust levels. Untrusted agents should not share resources with trusted agents.

Detection Methods

  • Automated Dynamic Analysis High — Pre-silicon / post-silicon: Test access to shared systems resources (memory ranges, control registers, etc.) from untrusted software to verify that the assets are not incorrectly exposed to untrusted agents. Note that access to shared resources can be dynamically allowed or revoked based on system f

Real-World CVE Examples

CVE IDDescription
CVE-2020-8698Processor has improper isolation of shared resources allowing for information disclosure.
CVE-2019-6260Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC's physical address

CWE-653: Improper Isolation or Compartmentalization

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different ...

CWE-668: Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the...

CWE-1331: Improper Isolation of Shared Resources in Network On Chip (NoC)

The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that t...

Frequently Asked Questions

What is CWE-1189?

CWE-1189 (Improper Isolation of Shared Resources on System-on-a-Chip (SoC)) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.

How can CWE-1189 be exploited?

Attackers can exploit CWE-1189 (Improper Isolation of Shared Resources on System-on-a-Chip (SoC)) to bypass protection mechanism. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-1189?

Key mitigations include: When sharing resources, avoid mixing agents of varying trust levels. Untrusted agents should not share resources with trusted agents.

What is the severity of CWE-1189?

CWE-1189 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.